Validating, Sanitizing, and You.

I've noticed a alarming trend in my college career which is the practice of professors glossing over sanitizing user input. I can only guess this is because attempting to teach 30+ students, who hardly grasp the language to begin with, must parallel Sisyphus' struggle. I don't fault them, however we are sending swarms of programmers into the field grossly ignorant and unprepared for the security risk they will unknowingly impose on the unfortunate company that hires them. These professors will discuss user validation...vaguely and that is a good first step, but user validation should never replace sanitizing.


For example let's consider the following JavaScript:

function validateForm() { var x = document.forms["myForm"]["name"].value; if (x == null || x == "") { alert("Name must be filled out"); return false; } }

This code snippet will only validate that the name textfield is not empty. If this was your only form of checking user input then a malicious person could easily use this opportunity to inject something into your database. However if you add a some sanitizing to the mix you can reduce/remove this threat.


Trim, Stripslashes, and HTMLSpecialChars

$name = sanitize($_POST["name"]);

function sanitize($data) { $data = trim($data); $data = stripslashes($data); $data = htmlspecialchars($data); return $data; }

If you remove the whitespace, tabs, and new lines with trim(), remove slashes with stripslashes(), and convert HTML special characters with htmlspecialchars() then you will be in good shape however this is commonly considered the "less preferable" method, but it is easier for new users because of it's linear methodology.

MySQLi Real_Escape_String

There are 2 other methods, first we'll go over real_escape_string():

$name = "$_POST["name"]"; $name = $mysqli->real_escape_string($name);

if ($mysqli->query("INSERT into userinfo (name) VALUES ('$name')")) { printf("%d Row inserted.\n", $mysqli->affected_rows); }

This will escape the variable $name but would need to be done for each variable that contains user input. Both of the previous methods still contain a risk of exploit though which leaves them as undesirable methods.

PHP Data Objects (PDO)

PDO is the best method because the bound parameter values are not passed via the SQL statement, they are instead parsed or prepared before entry. Proponents claim this method can not be exploited, however I haven't done the proper research to back this up. The concept seems the safest bet though.

$stmt = $mysqli->prepare("INSERT INTO userinfo (name) VALUES (:name)");

$stmt->bindParam(':name', $_POST['name']); $stmt->execute();

Zero percent of this was covered to any usable capacity in any of my courses. All I can do is hope this information will help inform and protect someone.